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We consider a variant of the BB84 protocol for quantum cryptography, the prototype of 
tomographically incomplete protocols, where the key is generated by one-way communi- 
cation rather than the usual two-way communication. Our analysis, backed by numerical 
evidence, establishes thresholds for eavesdropping attacks on the raw data and on the 
generated key at quantum bit error rates of 10% and 6.15%, respectively. Both thresholds 
are lower than the threshold for unconditional security in the standard BB84 protocol. 
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1. Introduction 

Quantum cryptography deals with all aspects, both theoretical and experimental, 
of schemes, or "protocols," for quantum key distribution. When implementing a 
quantum key distribution protocol, the two parties — Alice and Bob — exploit 
the laws of quantum mechanics to gain a string of perfectly secure key bits for 
subsequent one-time-pad encryption of a private message. 

The first such protocol, the celebrated BB84 protocol, was proposed by Ben- 
nett and Brassard in 1984. 1 In this brief report, we study raw-data attacks on this 
protocol in an "Ekert setting," where eavesdropper Eve is given the privilege of 
sending entangled qubits to Alice and Bob. This setting is equivalent to the tradi- 
tional scenario where Alice sends qubits to Bob, and Eve performs a cloning attack 
on the qubits in transmission. 

Alice and Bob concede to the fact that there will always be noise in their channel, 
but they only accept unbiased noise. Now, owing to the incomplete-tomographic 
nature of this protocol, Eve is free to send a family of states, with each of them 
appearing the same to Alice and Bob. For them, this state is only parameterized 
by one parameter, the amount of noise they see. We ask this question: which state 
should Eve send to Alice and Bob such that she maximizes her accessible informa- 
tion relative to Alice? 
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We restrict the discussion to the case where the state Eve sends is symmetric 
between Alice and Bob. For all such states, a von Neumann type measurement 
that satisfies the necessary conditions for an optimal POVM — in the sense of 
maximizing the mutual information — is given. But even in this restricted case we 
cannot prove that the POVM found is globally optimal. As usual 2 we can verify 
that we found a local optimum, but any claim on global optimality must rely on a 
thorough numerical search with negative outcome. 

A plausible, self-suggesting answer to that question would be for Eve to send a 
state to Alice and Bob such that it has maximal entropy. But it turns out that this 
is not always her best choice. Rather, when attacking the raw data Eve should send 
the state with the largest degree of separability, or smallest concurrence. From the 
information that is then accessible to Eve, we deduce the security threshold for the 
raw-data attacks. 

2. Partial tomography 

The scenario we shall be discussing is as follows: Alice and Bob are promised a 
sequence of singlets from Eve, an entangled qubit pair provider of dubious reliability. 
Due to practical imperfections in their channel, they compromise with an unbiased- 
noise state a 

PAB = (l-eWi><0i| + |. (1) 

Here \4>i) is the singlet state, and < e < 1 characterizes the amount of noise 
in the channel; the "quantum bit error rate" that is used to quantify the noise 
in the standard BB84 protocol equals \t. Alice and Bob independently perform 
measurements in two complementary bases, the x and z basis, each with equal 
probability. The decision of whether to carry out the measurement in the x or z 
basis is made at random. 

To check the reliability of the source they received, Alice and Bob sacrifice a 
fraction of their qubits to verify that the joint probability table of their measure- 
ments is consistent with (1), i.e., they check that their joint probability table looks 
like Table 1. The quantum version 3 of the de Finetti theorem ensures that the qubit 
pairs received from the source behave like statistically independent pairs. There- 
fore, the joint probabilities of Table 1 tell Alice and Bob the statistical properties of 
those pairs as far as measurements in the x and z bases are concerned, but there is 
no information about the y bases. Accordingly, the "state tomography" performed 
by Alice and Bob in this manner is incomplete, or partial. 

Alice and Bob, being paranoid, assume that the noise in (1) is an artifact of Eve's 
eavesdropping on their communication. So, if the probability table they obtain is 

a In practice, Alice and Bob would not expect to receive such a state with perfectly unbiased 
noise. However, they can include a controlled effective source of noise in their apparatus, by post- 
processing the measured data, and so bring any state they receive to the unbiased-noise state. 
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Tabic 1. Joint probability table between 
Alice and Bob who communicate with each 
other to check that the statistical proper- 
ties of their measurement results are con- 
sistent with this table. 
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skewed, or if they find that the noise level e is too large, Alice and Bob abandon their 
communication. Otherwise they will use the correlations in their data to establish 
a cryptographic key for one-time-pad encryption. 

By means of the partial tomography, Alice and Bob establish the values of eight 
independent parameters of their joint two-qubit state. Explicitly, if we write the 
two-qubit state between Alice and Bob as 

1 3 

PAB = ^ Cjk<Tj ® CTfc , (2) 

j,k=o 

where uq = 1 and aj are the three Pauli matrices, the tomographic constraint of 
consistency with (1) imposes eight constraints on the coefficients Cjk — (<Jj <8> <Jk), 

coi = c 3 = cio = c 30 = ci 3 = c 3 i = and 

cn=C33 = -(l-e). (3) 

With coo = 1 for normalization, there remain seven parameters that are inacces- 
sible to Alice and Bob who, therefore, can ascertain the state they receive only 
partially. Hence we speak of partial tomography. The remaining seven parameters 
are independent and are constrained only by the positivity of pab ■ 

This is in contrast to, say, the "six-state protocol" or the "minimal qubit proto- 
col" where Alice and Bob perform full tomography. 4,5 There they can check all 15 
parameters of their joint two-qubit state, and tomography uniquely characterizes 
the state. In addition to (3), Alice and Bob then have the luxury of insisting on 

C02 = c 20 = C12 = C 2 1 = c 23 = c 32 = 

and c 22 = -(1 - e) (4) 

as well. 

In the partially tomographic BB84 protocol, these parameters are hidden from 
Alice and Bob. A whole family of distinct states appears equivalent to them. They 
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would be wise to assume that Eve uses her freedom to manipulate these hidden 
parameters to her full advantage. 

As the scheme in the BB84 protocol goes, Alice and Bob would reveal publicly 
the bases of their independent measurements. After this announcement, qubit pairs 
measured in mismatched bases are discarded, while the qubit pairs in matched bases 
give them a string of sifted data with stronger correlations. In the absence of noise, 
these sifted data would have perfect correlations, and the resulting key is guaranteed 
to be secure. However, in the presence of noise, a shorter but still perfectly secure 
key can still be distilled by means of classical error correcting codes and privacy 
amplification. 

But Alice and Bob can just as well device a protocol that uses the raw data 
itself; that is, they exploit the correlations available directly from Table 1 to distill 
the same amount of secure key bits. Alice and Bob then need not announce their 
measurement bases. In the subsequent analysis, it is about this raw data that eaves- 
dropper Eve wishes to learn. This is equivalent to Eve attempting to eavesdrop on 
the sifted data if she does not have the means to store her ancilla qubits until after 
Alice and Bob will have announced their choice of bases. 

According to the Csiszar-Kdrner theorem 6 of classical information theory, this 
amount of distillable secure key is measured by the difference in the Shannon's 
mutual information between Alice and Bob and between Alice and Eve. The mutual 
information between Alice and Bob is 

/ AB (e) = i$(l-e) , (5) 

where 

* (x) = \ [(1 - x) log (1 - x) + (1 + x) log (1 + x)} . (6) 

3. Constraints on Eve 

Eve creates an entangled four-qubit state 

4 

|*ABE> = £ |&) \Ej) , (7) 
J = l 

where the unnormalized kets \Ej) are the four two-qubit states of her ancilla which 
record the outcomes of Alice and Bob's measurements, and 

(\z+)\z-)T\z-)\z+))-j= 

(\z+)\z+)±\z-)\z-j)± (8) 

are the four Bell states, which we use as the basis states for the qubit pair received 
by Alice and Bob. The two-qubit state obtained by performing a partial trace over 
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Eve's ancilla, 

PAB = Tr E [|*ABE) (*abe|} , (9) 

is what Eve sends to Alice and Bob. The geometry of Eve's ancilla states are fully 
determined by pab, the state Eve chooses, and the free choice of basis we used for 
Alice and Bob in writing (7). With pab in the form of (2), Eve is thus constrained 
by the values of Cjk in (3). 

4. Raw-data attacks 

Eve's task is to maximize the mutual information between Alice and herself. For 
every state pab that Eve chooses to send, she has a corresponding optimal POVM 
that maximizes her mutual information. Hence hers is a double optimization prob- 
lem: first, she has to find the best POVM and, second, she has to choose the most 
advantageous values for the seven adjustable coefficients that do not appear in (3). 
The optimal POVM depends, of course, on the parameter choice. 

The optimization has to be done with respect to Eve's four input states. They 
are the ancilla states conditioned on Alice measuring z± or x±. Each of these states 
has rank two. 

In practice, Eve does not have to make use of ancillas for an attack on the raw 
data. Once she decides which POVM to use on her ancillas, she can trace out her 
subsystem from the state (7) conditioned on her intended POVM outcomes. The 
remaining ensemble of states would then give the pre-manufactured states that Eve 
should send to Alice and Bob. 

We restrict our study to the symmetric case of c 02 = c 20 = Ci 2 = c 2 i = C23 = 
C32 = 0, where pab is symmetric under the interchange of Alice and Bob, and all 
expectation values Cjk = (cj ® Gk) vanish if cither aj = er 2 or <7k — &i but not both. 
Although there exist subspaces outside the symmetric region where the accessed 
information equals the accessed information in the symmetric region, numerical 
simulations suggest strongly that Eve has no advantage from nonsymmetric states. 

In this symmetric regime, then, Eve's four ancilla states in the basis specified 
by (7) are mutually orthogonal, 

(E i \E k )=5 jk {E j \E j ), (10) 

so that the right-hand side of (7) is the Schmidt decomposition of I^abe), and pab 
is a weighted sum of projectors on the Bell states (8) with the weights given by 

= J(3-2e-c 22 ), 
(E 2 \E 2 ) = (E 4 \E 4 ) = 1(1 + 022), 

(E 3 \E 3 ) = I(-l + 2e-C22). (11) 
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Fig. 1. The shaded area indicates the region of permissible values of C22 so that pab is positive. 
In the darker shaded region, pAB is separable. The straight line a corresponds to the state that 
Eve would be restricted to if she were forced to send the state (1), which is the case when Alice 
and Bob perform complete tomography. For C22 values on curve b, Eve sends a maximum-entropy 
state to Alice and Bob. The thick line c gives the maximum-separability state for a fixed e < 1/2. 
Along line d, where C22 = 0, Eve can have 1/2 bits of mutual information with Alice. Since the 
accessible information decreases with |c22 1 , the lines c and d provide Eve with the largest accessible 
information. 



The positivity of p\B thus requires 

-l<c 22 <2e-l, (12) 

which identifies the shaded area in Figure 1. 

The reduced ancilla states that are conditioned on Alice getting one of her four 
measurement results z+, z—, x+, or x— are then given by 

Pz± = {\E X ) ± \E 2 )) (( El \ ± (E 2 \) + (\E 3 ) ± \E 4 ))((E 3 \ ± (E 4 \) , 

Px± = (\ El ) T |£ 4 »((i?i| T (E4) + (\E2) ± \E 3 ))((E 2 \ ± (E 3 \) , (13) 

each of them occurring with probability j. It is thus Eve's task to discriminate 
between these states as best as she can, by a suitable POVM, whereby the figure 
of merit is the accessed information, equal to the mutual information between Eve 
and Alice that results from the chosen POVM. 
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5. POVMs that maximize the mutual information 

The mutual information that Eve achieves is maximized, at least locally, by a von 
Neumann measurement composed of the projectors to the following kets: 
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The mutual information obtained from this POVM is 

^AE = ^(v / l 3 ^7) , (15) 

independent of e. 

In fact, this POVM is not the only one that attains this mutual information. 
Since Eve's conditioned ancilla states (13) have real coefficients in the basis of the 
\Ej) kets, the complex conjugate of (14) gives exactly the same mutual information. 
And so does any convex combination of these two POVMs, although the members 
of the so-formed POVM arc no longer of rank one. In particular, an equal-weight 
combination gives an optimal POVM with real coefficients. Consult Ref. 2 for more 
details about this matter. 

Eve makes use of her freedom to select any C22 value within the limits of (12) 
such that Jae is largest. This amounts to choosing the smallest permissible value 
of I C22 1 ■ For e > \, this is C22 = 0, giving the straight line (d) in Fig. 1; for e < \ 
the best choice is c 22 = — (1 — 2e), which traces out line (c) in Fig. 1. 

Accordingly, Eve has 

/ aE( ,)4H 2 v^)'»»^!- (16) 

l 5 for 1 < e < 1 , 

after optimizing the value of c 2 2- The comparison with /ab(c) of (5) then implies 
that the BB84 protocol is secure under raw-data attacks when e <\, which corre- 
sponds to a quantum bit error rate of 10%. 

Figure 2 shows /ae(c) for the c 2 2 values along curves a, b, and c in Fig. 1, for 
the relevant range of < e < \. Also shown is 7ab(c) of (5), which decreases as e 
increases. 
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Fig. 2. The decreasing function shows the mutual information 7ab between Alice and Bob as 
given in (5). Curve a gives Eve's accessible information (15) when she honestly sends the unbiased- 
noise state (1). Eve is restricted to this if Alice and Bob were to perform complete tomography 
on their states. Curve b plots Eve's accessible information when she sends a state with maximum 
entropy, and curve c applies when she sends the state with the largest degree of separability, or 
the smallest concurrence, and thus achieves the optimum of (16). The curves a, b, and c intersect 



Alice and Bob's mutual information at e = 1 - i/l/2 = 0.2929, e = 1 - J y/5/4 - 1/2 = 0.2138, 
and e = 1/5 = 0.2000, respectively. — The dashed curve shows 4e SW) (<:) of (20). 

6. Largest degree of separability, smallest concurrence 

As is clearly shown by Figs. 1 and 2, Eve's best choice for c 22 docs not amount to 
sending the unbiased-noise state (1) to Alice and Bob, for which C22 = — (1 — e), nor 
the two-qubit state with the largest entropy, for which c 22 = — (1 — e) 2 . 7 Rather, 
Eve sends the state with the largest degree of separability S, a quantity intro- 
duced by Lewenstein and Sanpera, 8 and the smallest value of the Hill-Wootters 
concurrence C. 9 

For the two-qubit state pab under consideration, which is diagonal in the Bell- 
state basis of (8) and thus "self-transposed" in the terminology of Ref. 10, one 
has 



so that S + C = 1 and maximizing S is tantamount to minimizing C. For other 
families of states, however, different states may realize the largest S value and the 
smallest C value. Since the self-transposed states do not offer a clue, we leave it as 
a moot point which of the two quantities is the crucial one. 




(17) 
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7. Maximal entropy 

The POVM of Sec. 5 and the thresholds of Fig. 2 apply when it is Eve's objective 
to gain maximal knowledge about Alice's measurement results, for each qubit pair 
sent to Alice and Bob. In other words, Eve is attacking the raw data that have the 
correlations of Tabic 1. 

These correlations are turned into a cryptographic key by a suitable error- 
correcting code for one-way communication from Alice to Bob. For this purpose, 
the measurement results are identified with the letters of an alphabet — such as 
(z+,z-,x+,.t-)=(A,B,C,D) for Alice and (z+, z-, x+, z-)=(B,A,D,C) for Bob 
- and the code words are sequences of A, B, C, and D. Alice chooses at random 
one of the code words and informs Bob, over a public channel, which of her measure- 
ment results make up the code words ("Listen, it's qubits 101, 17, 53, 2674, . . ."). 
Bob's corresponding measurement results constitute the received word, which he 
can then decode to the code word Alice sent. The sequence of transmitted code 
words, or perhaps a single very long code word, are then the key for the one-time- 
pad encryption. 

Clearly, Eve is much more interested in this key than in the raw data from 
which it is generated. If she has the technical means for storing her ancillas, she 
will not measure them until after Alice has publicly announced the qubit pairs that 
contribute to the code words. Only then will Eve measure the respective ancillas 
jointly, thereby gaining more information per qubit pair, possibly as much as the 
Holevo-Schumacher-Westmoreland bound 11 grants, 

I { ae W) = S(pe) - £ S(p a ), (18) 

fz± 
a =\x± 

where 

i 4 

P* = - A Hp<* = ll\ E i)( E i\ ( 19 ) 

a j = l 

is the over-all ancilla state, and S(p) = — tr{plog 2 p} is the von Neumann entropy 
in units of bits. The non-zero eigenvalues of each p a are 1 — and |e, and the 
eigenvalues of pe are the probabilities of (11), so that Ij^ W ^ is readily evaluated. 

Since S(p a ) does not depend on C22, the C22 value for which -fjy^f^ is largest, 
is the value for which ps has maximal entropy. It is also the C22 value for which 
Pab has maximal entropy because pe and pab arc unitarily equivalent. As stated 
above, this happens for c 2 2 = — (1 — e) 2 . Then 

/i^ SW) (e) = 1 - $(1 - e ) = 1 - 2/ AB (e) , (20) 

so that the corresponding threshold value for e is determined by Jab ( e ) = §• This 
gives e = 0.1230, or a quantum bit error rate of 6.15%, as is illustrated by the 
dashed curve in Fig. 2. 
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8. Conclusion 

We have considered quantum key distribution from the raw-data correlations of the 
BB84 scheme by one-way communication, and have established the noise thresholds 
for eavesdropping attacks on the raw data and on the generated key. Owing to the 
incomplete state tomography in the BB84 scenario, Eve can choose the two-qubit 
state she sends to Alice and Bob from a seven-parameter family. Our analysis 
invokes a plausible symmetry conjecture, which is unproven as yet but backed by 
numerical evidence, namely that Eve can restrict herself to sending self-transposed 
states to Alice and Bob, which have only one free parameter. 

We find that the noise threshold for the raw-data attack is e = -|, which Eve 
achieves by distributing the two-qubit state with the smallest concurrence, or the 
largest degree of separability, to Alice and Bob. By contrast, the ultimate attack on 
the generated key is most powerful when the two-qubit state with maximal entropy 
is sent, and the resulting threshold is at e = 0.1230. The corresponding quantum 
bit error rates, after the bases matching in the standard BB84 protocol, are 10% 
and 6.15%, respectively. Comparison with the accepted threshold for unconditional 
security for BB84, about 12. 4%, 12 thus establishes that the key extraction by two- 
way communication (bases matching etc.) is advantageous for Alice and Bob. 
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